The barriers to cybersecurity research, and how to remove them
Earlier this year, a considerable number of computer scientists and lawyers, from academia, civil society, and industry, congregated at UC Berkeley School of Law to take part of a workshop aimed at discussing legal barriers and other deterrents to cybersecurity research, and to propose concrete answers to those problems.
The attendees heard about real-world scenarios where research has been chilled, about industry concerns, discussed how the research environment can be improved, who the target audience for such research is, which legal impediments make cybersecurity research difficult, talked about the current best practices and standards for security research and voluntary disclosure, and proposed changes to them, as well as amendments to existing laws in order to minimize the risks of liability researchers face for conducting their research and sharing it with the world.
After noting that cybersecurity research is vital and should be a national priority, and that security by obscurity is a flawed concept, they pointed out that cybersecurity research is especially valuable for improving automobile safety and security, voting machine security and accuracy, and medical device security.
“The benefit of independent cybersecurity research is further underscored by the emergence of vulnerability rewards programs, commonly known as ‘bug bounty’ programs, developed by leading Internet companies to encourage adversarial research on their systems,” the group noted in a report published on Monday.
“Legal barriers to cybersecurity research are increasing,” they also noted. Aside from the Computer Fraud and Abuse Act, Digital Millennium Copyright Act, and the wiretap laws, there’s also contracts and Terms Of Service agreements that discourage research based on modification of devices, reverse engineering or collection of data.
“While there are arguments that the laws at issue would not be used to actually prosecute legitimate cybersecurity research, the laws are ambiguous and can be broadly interpreted, generating uncertainty that has a wide chilling effect,” they pointed out.
Strategies that reduce the risk of liability and which have been embraced by security researchers have been discussed, and ideas were proposed on how to improve vulnerability reporting processes (best practices for both vendors and researchers).
Approaches for educating policymakers and the public about the issue were also discussed, as well as potential guidance from legal authorities on how existing laws could be interpreted.
Ultimately, the participants ended up with sharing a set of recommendations for various entities, including the US Copyright Office, the US Department of Justice, university officials and general counsels, vendors, and the US Congress.